 Hello, DDS Stevens here, Senior Handler at the Internet Storm Center. This video is for the analysis of a JPEG image with malware for my diary entry, James Web JPEG with malware. On Wednesdays Stormcast, Johannes talked about a malware that was inside a James Web telescope image from this blog post here. This is the blog post. They explain that they have found malware that uses JPEG images to transfer the content, to transfer the payload. So the code will not execute when you open the JPEG. That's not it, but the JPEG is used to transfer the payload in a hidden way. And if you go to the bottom, here you have IOCs. And this is the IOC for the JPEG that you can find on VirusTotal. So I wanted to take a closer look at the JPEG itself. And I have it here, inside the password protected zip file. And I'm going to take a look at it with my tool JPEG dump. But before I do that, I'm going to show you how a normal JPEG looks like, like the one that I have here, James Web JPEG. It's this well-known image of the James Web telescope. So let me run my tool JPEG dump on it. And then you get a list of all of the segments found inside that JPEG file. JPEG is buildup of segments, which are records. And you have different types of records. A normal JPEG file should start with an SOI segment, start of image, and end with an EOI, an end of image. And in between, you have different segments with data, like app segments, discrete cosine table segments, start of frame segments, Diffie-Hellman table segments. That's all for the compression here, DQT and DHT. And then the image itself, SOS, start of scan, with here the compressed image. With my tool, you can select a segment to take a closer look inside. For example, select two. And here you can see that it contains this data, app zero. Let's take a look at number three and four, two. Number three, which is rather large, so I'm going to do more. And as you can see here, this is Photoshop metadata. Space Telescope Institute, NASA, and so on. Segment four, this is the EXIF data, Adobe Photoshop. So that's how a normal JPEG looks like. Now let's take a look at the JPEG that contains malware. OK, and here we have much more segments. If we take a look, we have a start of image, OK, that's normal. And then going down here, segment 15 is an end of image. And then segment 16 is another start of image. And if we go down here, 30 is an end of image, 31 start of image, 45 end of image. So what we have here inside that file is three JPEG files concatenated together. So it's not a picture with three frames now. It's three times a JPEG file that is put inside this file. Of course, what I wanted to know are these different images or are they the same, are they identical? And that is something I can figure out by using option uppercase e extra to calculate the hash of each data of each segment's data, like this, OK? So now for each segment that has data and the start of image and end of image segments have no data, but for each segment that has data, I have the SHA256, OK? So these are all here different. And then for the next image, again, I have the SHA256 of each set of data of each segment. And if a hash has been seen before, then between parenthesis, you will have the number of the segment, so the index of the segment where it corresponds with which has the same hash. So here, this segment 17 has the same hash as segment 2 here. And that is similar for all the hashes that follow 2345678, 910, 1112, 1314. So these are all the segments here. So all of the segments here have data that is identical, at least the hashes is identical. So the data should be the same, too. So from that, I can conclude that these two images are actually the same, because the same hashes and the same goes for the third picture. Here you can see that it matches two previous hashes in segment 2 and also in segment 17, 3 and 18. So 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, which corresponds to this here. So again, these three images are identical because their hashes of the data of the segments is the same. OK, so that's one thing. Now we know we have three pictures that are identical. So actually only one to look at. Now, the next thing here is this D parameter. D stands for difference and it should always be 0, because this tells you how much unexpected bytes there are between two segments. So there shouldn't be any bytes between segments. It should all be proper segments and nothing should be in between here. But as you can see here, between segment 15, the end of image of the first image and segment 16, the start of image of the second image, there is a lot of data, more than 2 million bytes. So between those two pictures that have been concatenated together inside that file, something else has been put, which is not a picture. Otherwise, the tool would find segments inside here, but there are no segments inside. So let's take a look. So it's segment 16. If I select segment 16, sorry, not the Shah here, select segment 16. OK, nothing is selected because this is a start of image segment and it has no data. To select the data, which is between segment 15 and 16, just add a D to the index. So select the difference that comes before segment 16, like this. And then we get an extra decimal ASCII dump of the data that is found here. And here you can see a lot of As and certificate. So let's also take a look at the beginning and I'm going to do that with my head tail utility. It's just a combination of the head and tail utility. So you have the first 10 lines of the output and the last 10 lines of the output. And here you can see begin certificate and here end certificate. So it looks like a certificate has been put in between those two images. Let's dump it and not do an ASCII dump. But now we suspect it is actually a printable certificate. So let's do a dump and indeed this is a certificate. Now it is not a proper certificate because a certificate should always start with letter M. I also refer to that in my diary entry here. You can see it starts with TVQ. Well, that's not normal because if you go to this blog post here, I explain that a certificate always starts with byte value 30 and that results in the letter M. So if you have a certificate like here and it doesn't start with uppercase M, then something is wrong. And that's the case here because it starts with TV and TV that's also well known because that is the MZ header for PE files. So this is base 64. We can decode this with my tool base 64 dump like this. And then each line is separately decoded. At the end a lot of zeros. Here we can see strings that correspond to executable code. Let's take a look at the beginning. So here we have the MZ running those text data. So this certainly looks like a PE file. I'm going to use option W to ignore all white space. So the result of that is that all those base 64 strings. So let me show you. Here, this line, this line, this line. All of that is concatenated together when you ignore the white space. So like the carrier's return U line here, like this. And then it just finds two strings. Begin certificate. OK, that's a false positive. But here TVQ, MZN here, you have the MD5 file. So you can look that up on virus.total for example. This is the virus.total here of the image. And this is the virus.total analysis of the malware and the PE file 64 bit and assembly and what it does. I'm not going to analyze the PE file itself here. And also the PE file doesn't execute when the JPEG is open. There's other malware that extracts the JPEG from the image. That is all explained in the blog post that you can find here when you go to my diary entry or to the Stormcast page of that day. OK, so last thing I'm going to do, I'm going to select that base 64 decoding number two, do a binary dump and pipe this through my PE check tool to confirm that it is indeed a PE file. And it is because it decodes properly and lasting an overview of the segments. OK, so what is the malware here? How was it created? Well, just by taking one picture on James Web, concatenating this together. So for example, do a copy of James Web and then the malware encoded as a certificate. And it's encoded as a certificate because then it can be just decoded with cert util. Again, James Web, do this binary and then here malware JPEG like this. So that's actually how the image, that's one of the ways to create that image.